|
|||
traceroute blocked
I am having problems allowing traceroute through my firewall. I used the following pf rule but when I look at the pflog0 log live traceroute seems to be using different ports:
Code:
pass log proto udp from $mgt to $dmzops port 33433 >< 33626 |
|
|||
Even traceroute seems blocked, you can use options to obtain informations, as '-I' or '- P 1'.
Both options use ICMP Echoe message. The second not run with IPv6. (In fact, it's necessary to pass ICMP messages ; which is highly suggestable) |
|
|||
Our admin says ICMP is dangerous and can crash your OS. Is it really that bad?
|
|
||||
Your admin is repeating 35-40 year old advice. I recommend you both read Networking for Systems Administrators by Michael W Lucas.
https://www.amazon.com/Networking-Sy.../dp/B00STLTH74 |
|
|||
I agree with you @jggimi.
Yes, ICMP can be dangerous, only if you don't know use and protect correctly! (search informations about SMURF, SlowLoris, DeathPing attacks) It's important to filter ICMP trafic, drop few codes ICMP, return or drop the deprecated codes, and limit the rest. RFC and Draft exist; read them! - https://tools.ietf.org/html/draft-ie...p-filtering-04 - For ICMP : RFC 5927, 6633, 6918; and for ICMPv6 : RFC4890 (and, certainly others) see: http://www.rfc-editor.org/info/RFCxyz ; where 'xyz' is number of RFC And drop, return or limit with PF is more easy than Iptables. ---- If you or your admin read french articles, you can see my article on my oldier blog, about this: - https://blog.stephane-huc.net/securi...-firewall-icmp - https://blog.stephane-huc.net/securi...et-filter/icmp ---- Just for example, my rules PF, on my laptop, with drop policies by default, for ICMP and ICMPv6 are: Code:
(…) icmp_auth = "{ 8 11 12 }" icmp_block = "{ 4 6 15 16 17 18 31 32 33 34 35 36 37 38 39 }" (…) icmp6_auth = "{ unreach, toobig, timex code 0, timex code 1, paramprob code 1, paramprob code 2, echoreq, routeradv, neighbrsol, neighbradv }" icmp6_block = "{ 100 101 127 138 139 140 144 145 146 147 150 200 201 }" icmp6_in = "{ redir }" (…) icmp_sto = "(max-src-conn-rate 10/1)" (…) block quick log on egress inet6 proto icmp6 icmp6-type $icmp6_block block quick on egress inet proto icmp icmp-type 3 code 6 block in quick on egress inet proto icmp icmp-type 3 code 7 block quick on egress inet proto icmp icmp-type 3 code 8 block quick on egress inet proto icmp icmp-type $icmp_block (….) block all pass out (...) pass quick log on egress inet6 proto icmp6 icmp6-type $icmp6_auth pass in quick log on egress inet6 proto icmp6 icmp6-type $icmp6_in (…) pass in quick on egress inet proto icmp from any to egress icmp-type 3 code 3 $icmp_sto pass in quick on egress inet proto icmp from any to egress icmp-type $icmp_auth $icmp_sto pass out quick on egress inet proto icmp from egress to any icmp-type 3 code 3 $icmp_sto pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $icmp_sto (…) pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $icmp_sto (…) # this rule for traceroute; if not run, it's not grave, because using with option '-I' run correctly. pass out on egress proto udp from any to any port 33433 >< 33626 Last edited by CiotBSD; 8th December 2019 at 06:35 PM. Reason: add infos about ICMP attacks |
|
||||
For clarity, allow me to quote a little bit from Networking for Systems Administrators:
Quote:
Quote:
Quote:
Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
UDP protocol failed, as well as IPv6. pkgsrc blocked because of ths(IMHO) | spermwhale_warrior | NetBSD General | 5 | 27th August 2014 09:36 PM |
SSH is being blocked from WAN however public IP shown in server log | sparky | OpenBSD Security | 3 | 29th October 2012 01:29 PM |
OpenBSD 4.7 pf and traceroute | fbroce | OpenBSD Security | 5 | 13th September 2010 09:32 PM |